Re: [m0n0wall] IPSEC VPN -No traffic pass through

From:	Mark Wass <mark dot wass at market dash analyst dot com>
To:	dasz <daszylstra at comcast dot net>
Cc:	Sean Waite <swaite at sbn dash services dot com>, m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] IPSEC VPN -No traffic pass through
Date:	Wed, 21 Dec 2005 15:53:47 +1000
Hi Guys

I can back that up also. I noticed that I had to delete the SAD's to get 
the connection up and going again when my connection went down. I 
noticed that it particularly happened when the end that did NOT initiate 
the VPN tunnel dropped off, or was it the other way around :-\ . Anyway 
deleting the SAD's did the trick.

dasz wrote:

>
> I had a similar issue . . . . . Monowall 1.1 and Cisco (not sure of 
> model) . . . any disruption in the connection would cause it to not be 
> able to reconnect (it would seem as though it was connected, but no 
> traffic would pass).
>
> I found that if you go into Diagnostics --> IPSEC --> SAD tab and 
> delete all entries that have the source or destination IP of the 
> Cisco, then re-establish the tunnel and see if traffic passes.
>
> As I was doing a lot of config changes over a week's time I found that 
> this consistently worked - i.e. I would make a change that would drop 
> all the tunnels, the admin of the Cisco would then call within 20 
> minutes saying the tunnel dropped then reconnected and no traffic was 
> getting through, I would then delete the SAD entries for his IP, the 
> tunnel would then reconnect and work fine until the next change . . . . .
>
> On the last drop we dug deeper into the logs and found that the 
> lifetime for Phase 2 didn't match on both sides (the Cisco would 
> connect and pass traffic, but logged something about the phase 2 
> lifetime).
>
> One indicator that put me on to deleting the SAD entries was that 
> there were multiple entries for the Cisco IP in each column.
>
> I am not sure if we resolved the issue as there have been no changes 
> or disruption in our service recently . . . .
>
> David Z
> ----- Original Message ----- From: "Sean Waite" <swaite at sbn dash services dot com>
> To: <m0n0wall at lists dot m0n0 dot ch>
> Sent: Tuesday, December 20, 2005 10:44 PM
> Subject: [m0n0wall] IPSEC VPN -No traffic pass through
>
>
>> Last week the internet was shut down temporarily disconecting my VPN. 
>> At the one end is a Cisco PIX 506, the other is m0n0wall 1.2.
>> When I got back home where the m0n0wall box is I could not get the 
>> tunnel back up. Now at this point both the PIX and the m0n0wall box
>> report an IPSEC tunnel. The problem is no traffic is going through. 
>> Until now the VPN tunnel had worked for about 2-3 months without
>> issue. Although from time to time when my IP address at home would 
>> change I would have to set the new one in the PIX as my identifier.
>>
>> I am relatively new to IPSEC VPNs, especially with m0nowall. The 
>> first error message "/kernel: WARNING: pseudo-random number generator
>> used for IPsec processing" has never affected the tunnel. The second 
>> "ignore RESPONDER-LIFETIME notification" I have not been able to
>> diagnose, as all lifetimes are set to 86400 on both ends. The last 
>> one "ipsec_doi.c:918:cmp_aproppair_i(): attribute has been modified"
>> is new to me, but I believe is the cause of the problem. Thus far I 
>> have not been able to find any information on this.
>>
>> Any tips, ideas, or help would be very much appriciated.
>>
>> Below is the log and racoon.conf:
>>
______________________________________________________________________________________________________________________________________

>>
>> RACOON.CONF:
>> path pre_shared_key "/var/etc/psk.txt";
>>
>> path certificate  "/var/etc";
>>
>> remote 6*.***.***.** {
>> exchange_mode aggressive;
>> my_identifier address "7*.***.***.**";
>>
>> peers_identifier address 6*.***.***.**;
>> initial_contact on;
>> support_proxy on;
>> proposal_check obey;
>>
>> proposal {
>> encryption_algorithm des;
>> hash_algorithm md5;
>> authentication_method pre_shared_key;
>> dh_group 1;
>> lifetime time 86400 secs;
>> }
>> lifetime time 86400 secs;
>> }
>>
>> sainfo address 192.168.2.0/24 any address 192.168.1.0/24 any {
>> encryption_algorithm des,3des;
>> authentication_algorithm hmac_sha1,hmac_md5;
>> compression_algorithm deflate;
>> lifetime time 86400 secs;
>> }
>>
______________________________________________________________________________________________________________________________________

>>
>> SPD:
>>
>> 192.168.2.0/24[any] 192.168.2.1[any] any
>> in none
>> spid=1 seq=3 pid=363
>> refcnt=1
>> 192.168.1.0/24[any] 192.168.2.0/24[any] any
>> in ipsec
>> esp/tunnel/6*.***.***.**-7*.***.***.**/unique#16386
>> spid=4 seq=2 pid=363
>> refcnt=1
>> 192.168.2.1[any] 192.168.2.0/24[any] any
>> out none
>> spid=2 seq=1 pid=363
>> refcnt=1
>> 192.168.2.0/24[any] 192.168.1.0/24[any] any
>> out ipsec
>> esp/tunnel/7*.***.***.**-6*.***.***.**/unique#16385
>> spid=3 seq=0 pid=363
>> refcnt=1
>>
______________________________________________________________________________________________________________________________________

>>
>> SAD:
>> 7*.***.*** 6*.***.***.**
>> esp mode=tunnel spi=1875021408(0x6fc28e60) reqid=16385(0x00004001)
>> E: des-cbc  ******** ********
>> A: hmac-sha1  ******** ******** ******** ******** ********
>> seq=0x00000f62 replay=4 flags=0x00000000 state=mature
>> created: Dec 20 22:44:37 2005 current: Dec 21 03:32:16 2005
>> diff: 17259(s) hard: 86400(s) soft: 69120(s)
>> last: Dec 21 03:32:13 2005 hard: 0(s) soft: 0(s)
>> current: 1834784(bytes) hard: 0(bytes) soft: 0(bytes)
>> allocated: 3938 hard: 0 soft: 0
>> sadb_seq=1 pid=365 refcnt=2
>> 6*.***.***.** 7*.***.***
>> esp mode=tunnel spi=158474755(0x09722203) reqid=16386(0x00004002)
>> E: des-cbc  ******** ********
>> A: hmac-sha1  ******** ******** ******** ******** ********
>> seq=0x00000000 replay=4 flags=0x00000000 state=mature
>> created: Dec 20 22:44:37 2005 current: Dec 21 03:32:16 2005
>> diff: 17259(s) hard: 86400(s) soft: 69120(s)
>> last: Dec 21 03:31:21 2005 hard: 0(s) soft: 0(s)
>> current: 73430(bytes) hard: 0(bytes) soft: 0(bytes)
>> allocated: 788 hard: 0 soft: 0
>> sadb_seq=0 pid=365 refcnt=1
>>
______________________________________________________________________________________________________________________________________

>>
>> LOG:
>> Dec 20 22:44:21 racoon: INFO: main.c:172:main(): @(#)package version 
>> freebsd-20050510a
>> Dec 20 22:44:21 racoon: INFO: main.c:174:main(): @(#)internal version 
>> 20001216 sakane at kame dot net
>> Dec 20 22:44:21 racoon: INFO: main.c:175:main(): @(#)This product 
>> linked OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/)
>> Dec 20 22:44:21 racoon: INFO: isakmp.c:1368:isakmp_open(): 
>> 127.0.0.1[500] used as isakmp port (fd=7)
>> Dec 20 22:44:21 racoon: INFO: isakmp.c:1368:isakmp_open(): 
>> 7*.***.***.**[500] used as isakmp port (fd=8)
>> Dec 20 22:44:21 racoon: INFO: isakmp.c:1368:isakmp_open(): 
>> 192.168.2.1[500] used as isakmp port (fd=9)
>> Dec 20 22:44:36 racoon: INFO: isakmp.c:1694:isakmp_post_acquire(): 
>> IPsec-SA request for 6*.***.***.** queued due to no phase1 found.
>> Dec 20 22:44:36 racoon: INFO: isakmp.c:808:isakmp_ph1begin_i(): 
>> initiate new phase 1 negotiation: 
>> 7*.***.***.**[500]<=>6*.***.***.**[500]
>> Dec 20 22:44:36 racoon: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin 
>> Aggressive mode.
>> Dec 20 22:44:36 racoon: NOTIFY: oakley.c:2102:oakley_skeyid(): 
>> couldn't find the proper pskey, try to get one by the peer's address.
>> Dec 20 22:44:36 racoon: INFO: isakmp.c:2459:log_ph1established(): 
>> ISAKMP-SA established 7*.***.***.**[500]-6*.***.***.**[500]
>> spi:*********************************
>> Dec 20 22:44:37 racoon: INFO: isakmp.c:952:isakmp_ph2begin_i(): 
>> initiate new phase 2 negotiation: 7*.***.***.**[0]<=>6*.***.***.**[0]
>> Dec 20 22:44:37 /kernel: WARNING: pseudo-random number generator used 
>> for IPsec processing
>> Dec 20 22:44:37 racoon: WARNING: 
>> isakmp_inf.c:1340:isakmp_check_notify(): ignore RESPONDER-LIFETIME 
>> notification.
>> Dec 20 22:44:37 racoon: WARNING: ipsec_doi.c:918:cmp_aproppair_i(): 
>> attribute has been modified.
>> Dec 20 22:44:37 racoon: INFO: pfkey.c:1197:pk_recvupdate(): IPsec-SA 
>> established: ESP/Tunnel 6*.***.***.**->7*.***.***.**
>> spi=158474755(0x9722203)
>> Dec 20 22:44:37 racoon: INFO: pfkey.c:1420:pk_recvadd(): IPsec-SA 
>> established: ESP/Tunnel 7*.***.***.**->6*.***.***.**
>> spi=1875021408(0x6fc28e60)
>> Dec 20 22:46:21 dnsmasq[97]: reading /etc/resolv.conf
>> Dec 20 22:46:21 dnsmasq[97]: using nameserver 2*.**.***.***#53
>>
>>
>>
>> Sean
>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>